CVE-2025-6044 is an Improper Access Control vulnerability identified in the Stylus Tools component of Google ChromeOS version 16238.64.0, specifically affecting garaged stylus devices. The vulnerability allows a physical attacker to bypass the device's lock screen and gain unauthorized access to user files. The attack vector involves removing the stylus from the device while it is closed and then exploiting the screen capture feature to access files without authentication. This indicates a flaw in the access control mechanisms governing file and directory permissions when the device is locked, particularly related to stylus interactions. The vulnerability is classified under CWE-287 (Improper Authentication), highlighting that the system fails to properly verify user credentials or device state before granting access. The CVSS v3.1 base score is 6.1 (medium severity), with an attack vector of physical (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). There are no known exploits in the wild and no patches currently available. This vulnerability is significant because it allows direct physical bypass of security controls, potentially exposing sensitive user data without requiring sophisticated technical skills or remote access.

For European organizations, this vulnerability poses a tangible risk particularly to sectors where ChromeOS devices with stylus support are used in sensitive environments, such as education, government, and corporate offices. The ability to bypass the lock screen and access files physically undermines endpoint security, potentially leading to data breaches involving confidential information, intellectual property, or personal data protected under GDPR. Since the attack requires physical access, the threat is more pronounced in scenarios where devices are left unattended or in shared spaces. The integrity of data can also be compromised, as attackers might modify or exfiltrate files without detection. Although availability is not impacted, the breach of confidentiality and integrity can lead to regulatory penalties, reputational damage, and operational disruptions. The lack of a patch increases the window of exposure, necessitating immediate compensating controls. The medium severity rating reflects the physical access requirement but high impact on data security, making it a critical consideration for organizations with high-value or sensitive data on ChromeOS devices.

Beyond generic advice such as applying patches (which are currently unavailable), European organizations should implement strict physical security controls to mitigate this vulnerability. This includes enforcing policies that prevent unattended devices in public or shared environments, using physical locks or secure storage for devices when not in use, and educating users about the risks of leaving devices accessible. Additionally, organizations should consider disabling or restricting the stylus screen capture feature via device management policies if possible, or configuring ChromeOS to require re-authentication for any screen capture or stylus-related actions when the device is locked. Employing endpoint detection and response (EDR) tools that can monitor unusual device interactions or file access patterns may help detect exploitation attempts. Organizations should also maintain an inventory of affected ChromeOS devices and monitor vendor communications for patches or updates. Finally, implementing full disk encryption and strong user authentication mechanisms can reduce the impact of unauthorized file access.